Viewing rules in Rules Dashboard

To open the Rules Dashboard in Google Security Operations, select Rules from the menu icon . The Rules Dashboard displays all of the rules you have stored within your Google Security Operations account. On systems that use data RBAC, you can view and manage only those rules that are bound to a data scope that you have access to.

The rules dashboard includes the following features:

  • Trend chart displays the rule with the greatest number of detections over the past 3 weeks.
  • Displays a graph of the activity associated with the rules. Hovering over a bar in the chart displays the date and number of detections.
  • Run frequency indicates the approximate frequency the rule will execute.
  • Live Status (Enabled or Disabled).
  • Rule severity as in the Rule metadata.

If you hover over a rule and click the menu icon to the right, you can open the Rule Settings menu and manipulate the Live Rule, Run Frequency, and Notifications options.

  • Live Rule monitors your incoming logs for threats until it is deleted or disabled.
  • Alerting indicates an anomaly in the normal workflow of traffic within the enterprise. You should investigate alerts as a possible breach of security.
  • Run Frequency indicates the approximate frequency the rule will execute and impacts the latency with which detections are discovered for each rule.
  • YARA-L Retrohunt enables you to use the selected rule to search for detections throughout existing data in Google Security Operations.
  • Edit Rule enables you to edit existing rules and create new rules.
  • View Rule Detections enables you to view detections generated by a live rule.
  • Archive hides the rule and the security data related to that rule (and all of its versions) without actually deleting the rule.

Clicking a rule name opens the Rule Detections view.